Managed keys presumes the operator is actually using RFC5011 timings
to roll their keys. There are very few zones that have publicly
said they are using RFC 5011.
Named gets used on private networks. Those networks can use DNSSEC
they can decide to use trusted-keys rather than RFC 5011.
Mark
On Thu, Feb 08, 2018 at 10:06:02AM -0800, Paul Vixie wrote:
> > At the very least, a "trusted-keys for the root KSK considered
> > harmful" syslog message would be a hopefully easy and
> > non-controversial first step in the right direction.
>
> i think that's entirely reasonable, and based on
Matt Larson wrote:
Out of curiosity, what other changes have there been that
deliberately invalidated a working config?
the big one was last-bind8 to first-bind9. there were also some minor
ones over the years like changing the default for allow-query to be
localnets rather than any. since
> On Feb 8, 2018, at 12:32 PM, Paul Vixie wrote:
>
>
>
> Matt Larson wrote:
>> I would love to see BIND's trusted-keys syntax deprecated. Not the
>> ability to configure a trust anchor statically, mind you, just the
>> syntax. Changing the syntax and refusing to start with
Matt Larson wrote:
I would love to see BIND's trusted-keys syntax deprecated. Not the
ability to configure a trust anchor statically, mind you, just the
syntax. Changing the syntax and refusing to start with trusted-key in
the configuration file would force those who are dragging old config
> > Speaking only for myself - I have done many BIND upgrades without config
> > file changes (and I basically expect this to work).
>
> i apologize, again, for the config file from last-bind8, not working in
> all cases with first-bind9. i don't work at ISC any more, but i think i
> can safely
sth...@nethelp.no wrote:
Speaking only for myself - I have done many BIND upgrades without config
file changes (and I basically expect this to work).
i apologize, again, for the config file from last-bind8, not working in
all cases with first-bind9. i don't work at ISC any more, but i think
> On Feb 8, 2018, at 9:43 AM, Joe Abley wrote:
>
>
>
>> On 8 Feb 2018, at 09:24, sth...@nethelp.no wrote:
>>
>>> If just to spread rumors, I heard the following as early as November, 2016.
>>> One of the issues is that operators update code without updating
>>>
> On 8 Feb 2018, at 09:24, sth...@nethelp.no wrote:
>
>> If just to spread rumors, I heard the following as early as November, 2016.
>> One of the issues is that operators update code without updating
>> configuration files. I.e., a BIND upgraded today might be using a
>> configuration
On 08/02/2018 14:18, Edward Lewis wrote:
> I am not saying this theory has been put to the test, but it is
> compelling. This hypothesis is in the ICANN deck on the KSK rollover
> used throughout 2017 (until the postponement).
Another hypothesis is configurations where the directory in which
> If just to spread rumors, I heard the following as early as November, 2016.
> One of the issues is that operators update code without updating
> configuration files. I.e., a BIND upgraded today might be using a
> configuration file from the pre-managed-key days.
Speaking only for myself -
11 matches
Mail list logo